Sunday, October 26, 2008

Significant news from Belgium where it's being reported that ISP Scarlet has succeeded in overturning the injunction requiring it to monitor users and filter out illegal peer to peer filesharing of music. That injunction, granted in June 2007, was the first in a series of attempts by the music industry to oblige ISPs to police their users, and was granted on the basis of evidence by SABAM (representing the industry) that monitoring downloads and filtering infringing content was both technically feasible and cost effective. Since then, however, Scarlet has demonstrated to the court that even the system of filtering suggested by SABAM - produced by Audible Magic - was technically unworkable and that SABAM had deceived the court by falsely representing that the technology had been used elsewhere (automatic translation). On that basis the trial court has set aside the order against Scarlet.

This is far from an end of the matter - it seems (though the reports are unclear) that the trial court still proposes to require Scarlet to filter if an effective solution can be found, an appeal against the original decision remains scheduled for the Court of Appeal in Brussels next year (automatic translation) and ultimately it looks likely that the ECJ will have to decide whether in principle ISPs can be obliged to filter user connections in this way. In the meantime, though, it's a significant blow for the music industry insofar as it undermines their argument that filtering is a technically viable solution. It also couldn't come at a better time for Eircom who will be defending an Irish rerun of the SABAM v. Scarlet litigation in the High Court in Dublin in the near future.

Monday, October 06, 2008

Normally I'm not a fan of press releases dressed up as news stories. You know the type - "163% of Irish adults are Vitamin X deficient" (survey sponsored by manufacturers of Vitamin X). But I had to make an exception for this story on National Identity Fraud Prevention Week as the sponsors Fellowes (who unsurprisingly make shredders) have produced a very good site with tips on identity fraud, phishing and more. While I'm sure the savvy readers of this blog wouldn't dream of replying to that plausible looking email from PayPal, there are more subtle risks which are pointed out in an accessible way. Recommended.

Friday, October 03, 2008

In K.U. v. Finland the European Court of Human Rights has decided to hear a potentially very significant case considering whether victims of online activity may have a right to identify the internet users alleged to be responsible.

In this case the applicant, who was then aged 12, was the victim of a fake personal ad giving his name, phone number, date of birth and his picture and claiming that he was looking for a homosexual relationship. The applicant learned of this when he received a phone call from an older man. Although that man was eventually identified and charged with an offence the person who placed the ad remained unidentified. The police sought to find out (from the ISP) the name of the subscriber behind the dynamic IP address used to place the ad. The service provider however was advised that it was bound by the duty of the confidentiality of telecommunications and could not reveal the user's identity. The Finnish courts ultimately agreed, holding that the law as it stood provided for this information to be revealed only in respect of specified criminal offences - and although defamation ("calumny") was a criminal offence, it was not a sufficiently serious offence to fall within the scope of the legislation.

The applicant applied to the European Court of Human Rights, claiming simply that the fake ad constituted a violation of his right to a private life under Art. 8 of the ECHR, and that as he could not identify the person responsible he had been denied an effective remedy for that violation under Art. 13 ECHR. The case is currently pending.

So why does the case matter? Although the facts are narrow, the implications may be quite wide and may require states to introduce much more extensive rules for identifying internet users. In particular (and I'm obliged to Patrick Breyer for these points) the action presupposes that an effective remedy for a victim requires the identification of (alleged) wrongdoers. But this overlooks the fact that other effective remedies (such as notice and takedown procedures and host liability) already exist and were provided for in Finnish law. In addition, the claim that access to this information must be available even in respect of minor crimes ignores the principle of proportionality - respected even in the Data Retention Directive - under which access to communications data should generally be limited to cases of serious crime. Similarly, most national caselaw has required a showing of proportionality before courts will order users' identities to be disclosed. I've written before about the issues involved in identifying internet users.